curl: RSA_padding_check_PKCS1_type_1:invalid padding

Question

I am generating an X509 certificate through code (using OpenSSL APIs) for my server application. I have just added support for TLSv1.3 by adding TLSv1.3 ciphers in the supported list in my code.

There is no change in certificate generation and assigning RSA pub + private key to the certificate.

I have upgraded curl & OpenSSL libraries on client to enable TLSv1.3 connection. Upgraded Curl version: 7.63.0 & OpenSSL version: 1.1.1

I am seeing below error:

* TCP_NODELAY set
* Connected to <domain> (<ip-address>) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: myCA.pem
  CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [6 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [1781 bytes data]
* TLSv1.3 (OUT), TLS alert, decrypt error (563):
} [2 bytes data]
* error:0407008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (35) error:0407008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding

Same error comes even with TLSv1.2 (using same upgraded client).

What am I missing here? Please help.

Answer 1

I know this is an old one, but I just had the same issue because I copied a PEM file from Windows with CRLF included instead of LF.

Use cat -v cert.pem to check for it.

Answer 2

I was issuing a self-signed certificate by a self-created CA to use it for web development on localhost and was getting the same error. I tried to create a working SSL certificate multiple times, but always had this error error:0407008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding, and I had multiple certificate authorities with the same CN registered in my operating system's trust source (/etc/ca-certificates/trust-source on manjaro).

How I solved the problem: I deleted all these "duplicates" and ran update-ca-trust to regenerate the list of CAs trusted by my system. Then imported my self-created CA once, generated an SSL certificate against it and used the crt and key in my web server - finally no error:0407008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding when CURLing into it!

Answer 3

I found this thread when searching this invalid padding error. It seems as if there are multiple causes. In my case, I was signing the leaf certificate with its own private key instead of the CA certificate's private key.

Answer 4

curl: (35) error:0407008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding

to avoid you can use the option -k

it works the same as we use postman and in the settings, turn off the SSL certificate verification option

Please find a sample curl and how to use -k option below

curl --location --request POST 'https://sample.ap-south-1.elb.amazonaws.com/v1/messages' --header 'Content-Type: application/json' --header 'Authorization: Bearer xxxxx' --data-raw '{ "to": "91xxx", "type": "image", "recipient_type": "individual", "image": { "id": "56dxxxx", "caption": "your-image-caption Saket jain how are you" } }' -k